Security Policy

Last updated: January 1, 2025

Security Measures Implemented

  • Transport Security: HTTPS/TLS 1.2+ enforced in production; HSTS with 1-year max-age; all HTTP redirected to HTTPS via Flask-Talisman.
  • Authentication: Passwords hashed with PBKDF2-SHA256 (600,000 iterations); session tokens cryptographically random; strong Flask-Login session binding; protection against session fixation.
  • CSRF Protection: SameSite=Lax cookies; CSRF tokens on all state-changing forms; REST API uses JWT Bearer tokens (CSRF exempt).
  • Content Security Policy: Strict CSP restricting script/style sources; frame-ancestors 'none' to prevent clickjacking.
  • Rate Limiting: IP-based limits on all auth endpoints (15/min login, 5/hr register), API (200/day), uploads (60/hr), fingerprint (120/min).
  • Input Validation: HTML sanitised with Bleach; parameterised SQL via SQLAlchemy; file uploads validated by extension and size.
  • Audit Logging: All authentication events, data modifications, and downloads logged with IP, timestamp, and user-agent.
  • API Security: JWT with 1-hour expiry; refresh tokens (30 days); API key rotation; admin endpoints require super_admin role.
  • Database: PostgreSQL with SSL connections; least-privilege access; connection pooling with health checks.
  • Visitor Intelligence: Comprehensive fingerprinting for fraud and abuse detection disclosed in Privacy Policy.

Vulnerability Disclosure

Report vulnerabilities to security@vettrack.pro. We respond within 72 hours and resolve critical issues within 30 days.

Incident Response

In the event of a data breach, affected users will be notified within 72 hours as required by GDPR Article 33/34.

Privacy Terms Cookies Acceptable Use GDPR Data Retention Security